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(57) Abstract 

The invention relates to a procedure for the control of applications stored in a subscriber identity module in a data conununication 
system comprising a data conmiunication network.(4), a terminal device (MS). connected, to the data communication networic, a subscriber 
identity module (SIM) connected to. the terminal device and . containing a stored application diat makes use of the data communication 
network and is used by means of the terminal device, and an application control server (1) connected to the data cprmmmication network. 
In an embodiment of the iiivention, a key list comprising one or more application-specific keys is stored in the subscriber identity module 
(SIM). A corresponding list is also stored in the application control server, which takes care of the control of applications stored iii subscriber 
identity modules. The application stored in the subscriber identity module is activated and/or closed by using the kcy list 
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PROCEDURE FOR THE CONTROL OF APPLICATIONS STORED IN. A 
SUBSCRIBER IDENTITY MODULE 

The present invention relates to a procedure 
as defined in the preamble of claim 1 for verifying 
5 the rights relating to the control of keys to applica- 
tions stored in a subscriber, identity module and to 
the use of such applications. 

With the development of mobile communication 
networks, especially GSM networks (GSM, Global System 

10 for Mobile Communications), the services offered 
through them develop as -well. Especially in applica- 
tions making use of mobile communication networks and 
requiring a high level of data security, e.g. in pay- 
ments for services, ordering, order conf irmat±ons, 

15 payment orders, bank services, etc., problems are en- 
countered regarding safe application-specific control 
of keys and billing of license fees for operator- 
independent services . The problem is accentuated by 
the fact that subscriber identity modules used in GSM 

20 terminals are manufactured by several enterprises and 
that there are many companies offering applications 

and several * operators delivering subscriber identity 

modules 'to - customers i : :In ^addition, the applications 

. ,used to provide s.ervlces in the .GS^I network are pften 

25 produced by outside software suppliers or equivalent, 
which means ^that the licenses-^f or the applications be- 
long to the software suppliers*. ^ - 

■ If -a license fee is to- be -charged for the use 

/J of an application/ it is necessary to carefully follow 

30 the use . of the application and define the limits wit- 
hin which the application may be used. For this purpo- 
SB no solution has been presented before, at least no 
solution that allows centralised control of the 
subscriber identity modules and the- passwords relating 

35 to the applications stored in them.-^ 
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. :The object of ^Jthe • present invention is to 
eliminate the* drawbacks described aboy.e. 

A specific objectrof the present invention is 
to produce, a new. type, of procedure which is applicable 
5 for the ..control :pf vkeys to applications making use of 
the subscriber identity module and foir the control of 
license agreements concejrning the use of such applica- 
tions and which -can be easily implemented in a centra- 
• lised ' form.:^ independent., of;, different suppliers • 
IQ . A :.further object of /the present invention is 

to produce a procedure, with a high level of data secu- 
' rity that allows flexible and reliable .safeguarding of 
the interests .iof .dperatprv module manufacturer, appli- 
" dat^ion developers ;and users ofc applications - 
15 , r A =^ -As '::f or- the .'features. of the in- 

,vention/ reference ;is made to the claims. 

- : ! In con junction with the present procedure for 
the control \ofv applipatiqns - stored in a subscriber 
identity :moduie>". thei .data - communicatipn system prefe- 
20 rably comprises, i a.:. data , GommuniGatiQn network and a 
' terminal device:, ^connected ^ rto the data communication 
network. Preferably:: the data ; communication network is 
a GSM -network- :and :rthe terminal device is a GSM te- 
lephon-e. vThe GSM telephone is preferably provided with 
25 a subscriber identity . module containing an application 
- ^ ^ stored : in: it/- which- /Utilises ; the data communication 
' network' rand -is .us:ed via the. terminal device for bank 
or- other services available. ,, The data communication 
system also comp'rises. an .application . control server 
30 - (1) : connected, to the: data ^. communication network. The 
applicatioTi control server .is preferably a computer or 
equivalent which is provided withr means for setting up 
a . connection . .to the data ^communication network and 
; with software for., implementing the required applica- 
3 5* :tions: The. ,softwar.e .is preferably managed by service 
providers- or. especially by data -communication suppli- 
ers." providing mana:gement services. 
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' " • ' Acfcording to the- invention, a key list com- 

prisirig one or more application-specific keys is sto- 
ired in the subscriber identity module. The key list is 
''^ • preferably 'linked - or-, connected:., with the subscriber 
5 id^fitity mbc&le by, -using ia unique identifier corres- 
pohding''**to ' th¥- "modulei^ : A corre.spondintg list is also 
sVbred:' irt the appl^^^ server , and the app- 

lication stored -*in '^-the subscribec: identity module is 
' ' activated'^ind/6r-i'c;l63^d using :the- ls:ey.. list . 
* *lb^ ■'^if-^ -Thus,- fn '^the prjocedure^ of the invention, sto- 
' red on- a sm^rt ' card- -(S^IW -card b , inc the .mobile station 
" 'is -^a' list*^ of>^^keys i-Compri^,ing./the . keys K(l) , K(2) , 

Kfri) 'and 'KS<1) eind '^KA t2) "needed ^f or activating or clo- 
• 'slhV different -applications -on ;ttie,-.c:ard- The SIM card 
15 or siibscrlber-^identity -module preferably also contains 
modules 'f or a-ctFf vatirig '^smi rclosing - the application. In 
coHjtinctibn with ^Manufacture ,x , t he IM card has^ 
initialised ^with- ' a ' s^^curxty^ j^d^^ manner . 

The activ*ting/'cl6s±tiV' rnodui-^ used to ensure that 

2 0 the;, applJcat'fon, ^^-' ^u'ch^" aa's electoronic >-signature. utili- 
' "' ' ^ sih'g the smart card, . can be . activated/closed by the 
Icey control- systeifi- if iiecess^ry . .-Thus, .the procedure 
of the -invention implements application-specific key 
'" control in additr'Qn^to ^t^he previously ' known S/IM card 
• '25 key- control system. : 5r: : , 

' . The- -appricSLtion-specif ic key control system 
' knows - the ke^s ^tieeded: .^^in;: ;;an application or applica- 
tions, and these keys ineed not be .known to the mobile 
- ■ communic-atadh operator'-St' key: control . system. The app- 
•30 licati6n-j5E>ecif re- key contorol: -system of the invention 
cab 'be separated from the^ operators' .key control sys- 
■ ' ' tems, • thus making it possible to provide a service, in- 

' dependent of data communication network and operator. 
"The key control system . responsible, for the applica- 
35 • tions ..need not know the teleoperator' s keys, which are 
> : ' -used for user identification i-n* basic mobile . communi- 
cation services in a "'manner known in itself. Key cont- 
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- -rol €or appliqations is implemented in a protected da- 

tabase, from which: application-specific services uti- 
lising the. SIM c^rd and: requiring a high level of data 
security can. be ..activated and closed. 
5 .., AS compared with, prior art,, the invention has 

the advantage that,, the procedure allows local identi- 

- • ficatibn of the ..user -of sjeccvices requiring a high le- 

vel of data security by all service providers xn the 

- networks of . dif ferent ., operators.^ as well as a centra- 
10 'lised -implementation of- key cpntr.ql. . 

Moreover, the. procedure of the invention al- 
• lows control and billing of use.ir-specif ic payments and 
• licenses f or-, dif Cerent ..application^ .. 

: " in an .en^dAment^ of., the invention, the vali- 
dity of the ; user.' s right, ^,of 'access to. the application 
-stored- -in the- aubscxiber. .identity module is verified 
periodically. ..If - it . is ..established ^ that the access 
-right ^ha's- expired,:, then,., using, an appropriate key, the 
' • application -in the,..subsGj^iber idepti,ty mod can be 

20 closed^. •■ • ■■ . : i...:-. . . . • 

,-. -.f- - , In -.•.conjunction.- -with the activation of the 

- application: stored in. the subscriber ' identity module, 
/ the- subscriber... identity module is . sent a message con- 
cerning the opening of the-,, application, said message 
containing -the.-, application key k(n) to bemused in the 
application.'., In.: t^e, ..application control server, the 
appli-cation key.fis attached to. the unique identifier 
corresponding -rto the subscriber, identity module. Based 
on thel-key list, .the. right of access to the applicati- 
on -isTpreferably verified, in,, the -application control 
s_erver^-and, if- • a valid access^, ri^hit- ..ejcists, the spe- 

- \ diil data'ineededi in the, applicatipn, e.g. service. 
A description and: application^specitic user interface 

:A;odes, are -senti.'. - _ ^ 

35 . .- . . In an embodiment. . pf . the present invention, 
• all messages- between the applica1:ion. control server 
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■ and the "■•teirrtinal ■ device are - encryp.ted regardless of 
the coritent of the message. =• ' •-: : 

'■• ""■ • • the following, the invention will be 

described'"' by the aid^ of -embodiment examples by refer- 
5 "ring to "the' 'attached drawing, - in 'which ^ 

' FigV 1 presents ^a prefer.re4 data communicati- 
on system in" which' the procedure of ;.the; ^ invention can 
be" used; and - • ... ... .-. - 

■■^ E'i"g.' ''2' -'presents-'a . bldck diagram of a prefer- 
10 red emboHiment ^f^ the procedure :of -the;. invention. 

■'- M.^.~-p-pxeSehts^.an example of a data communi- 

" " ' ' cation sy'^tem -^n which :the ? procedure of • the invention 
can be 'implemented. The ...dajta: .cQmmunication system 
shown ' in' Fig^.'' 1- •Compr-i!5e:s -a GS.M telephone network 4. 
■ -15 Connected " t-o 'tW GSM network. ^:i:S -a, mobile station MS 
compatible with- the^<- netwoxJc r-and ...prqvided with a 
subs6rib^f •xdentity -module . S IM,-. tin, CQn junction with 
manufacture','-- l^he subscti^^ SIM has 

be^h ' initialised - using a securit-y.- module in a manner 
20 known in itself; reference is made. ,to patent specifi- 
■ •' cation' WO 90711849.- Moreover, .the subscriber identity 
■ ' module comp'risgs ah - activating : and- clo^iing module 2, 
3, "Whieh are -used for the.- acti-v^ition,' and closing of 

.' " the 'a'pplicatibri-. -•. -. > •- i 
■"'" 25 • The ser-vi-ce -.provider' s ■ application control 

' ■ ' 'server i" is •-Connected: tol the.,(3SM network and to the 
' ' service providel:' s" equipment e-. g ... via a telephone net- 
' " work 'PSTN/ ISDN.' The connect ion rbet^ application 
Sbritroi -'server ''X - and the GSM telephone -MS is set up in 
3 0* accordknce- with-t-he normal GSM practice -either as a 

■ voiced, 'ddta- o-r short message tconnection. Let it be 
f vir trier 's'tated' that the itelephone network 4 may be any 

~ -■ other data' communication network,,, such as a CDMA net- 
work, PCN network, UMTS network or equivalent, and 
'" 35. that, "" correspondingly,' the terminal device, may be any 
' other termlTial - device compatible .iwith... the data commu- 
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. nication-networlc to,whicli, a subscriber identity module 
. or. an equivalent device can.be. connected. 

- . -Fig. 2 presents a block diagiam illustrating 
. the . various stages of control of ^n.' application in the 
5 subscriber identity-., module, ...parried out by the appli- 

■ cation control server. , The.. exa^^^^^^ 
: : application in which a bank gives .its customer the 
• . right to use i-ts bank services . using a GSM telephone 
• MS and an- application, .stored in a _ subscriber identity 

10 " module SIM -connected tp it. . p. ^ ^. , 

..-The customer.-, is .-in .possession of ah identi- 

• fier (UlD).cor.responding to the SIM card. The key k(n) 
corresponding to the, identifier ,(yi.D) and the applica- 

. -tioh .(n)r . as.:-. well .aa^tfcie keys KAl^ and KA2 have been 
15-. stored ' in -an- applicat..ion-.speci#ic key .control system 
in- the application -,control. server 1. The_custoi!i§.s^a- 

J^es .. an -agreengnt 
. vTrTI ^t-"^i- ion - based bank -service, whereupon the bank 

- s-gnds the QI.D- e arrespondi^^ 

20- -to ' an- '•aEPl4><^tA©R;saBSS^^4A& After 
thilT'the' application-specifid card, control system 
sends- an- topening message , to the SIM card corresponding 
to the UI.D.-. The ^.pperiing . message gontains the custo- 
mer's user key k(nh which is needed , for the bank ser- 

■25 vice and :which. is: to ;be,.us.ed later . to activate the 
application, stored _on the .card,, and possible regis- 
tering message..' Using: the. key k{n) sent by the card 
control'. system, : the . customer can , set . the mobile stati- 
on to. bank -mode and - send and acknowledgement of the 

-30 registering message , to the card, cqntrol system. The 

• key k(n) can also be sent , in, an. .encrypted form, which 
is.^.Tdecrypted ^-by . a decryption prpgramme on the SIM 

: .- card.: The customer now has a licensed, key that gives 
.■ him/her. the right, to, use the bank -service concerned. 
35 The key . is useless ^ to . outsiders because . it is card- 
-. specific and will only activate an application stored 
.. on the , particular, card. .. . : 
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Ih corijanctiori with the activation of the 
card, tlie custotne'r may be billed :-for the license fees 
if 'the customer acknowledges the registration. The 
' appiicatioh-specif ic cartf -cdntrol ^ system - sends to the 
5 bank the necessary ^ identifiers, i.includirng the identi- 
fier' KA(lr needed for the activation of ra bank servi- 
ce. In'the ban'k%'' the ' customer and . application specific 
identifier sent '^5y the ca¥4r control system is associa- 
ted with the res^ectrve- ^l>ahkt service. Using the appli- 
10 cation-specifier ^ictivation code --KA.(1)-/ .the bank can 
load ~ the ' s^rvlce'vmetiu-S^ a^ fo'rms needed in the bank 
' service as weir as^- the'l'ldentifier^^^ in the use 

oi'th^ service' onto thfe- ctist¥xmer/\s :.ca^ whereupon the 
bank^ seir^rid^ is avai^iabl e ~ to-: -th6- customer • The bank- 
15 * specif ic" ^^rViVe lfe^ service tforms are ; transmit- 

' ted to tlti^ - mobilV'^ station "by ^^ 't^ "dynamic menu load" 
method ^ or t¥AhV-' SIM ' cat^^^^^^^ The Air) 

methbd irf' V lrfmn4r knbwn^ in Utset^ If. the code KA (1) 
is correct, t he -a ClraVati. rig /closing ijiodule on the card 
20 will 'accept' 'the loading -^nd^ the; card.- will . be activated 
■for the bahV ^Pvi-e^-"^-* -vi- > . : 

'* Finally /'-*the-^process,descriiDed above will be 

presented^ irt- greater ^detail byj. r to the block 

; diagram irt Hg. '* At ' a bahk, .the customer makes an 

"25 agreement k¥obt utilising :a -mobile station -MS and lin- 
^kihg'"it to -a -bahl^ s6rvice,:':i)lock. .21 . ^^t the same time, 
tixe unic^ue -identifier * (UID) of the; cu«t,omer' s subscri- 
* ' ber identity • module^ is > linked .c to • the service as 
' "described ibove:^'^- In ^ihe . agreement,: the customer ac- 
' 30 cef^ts the licfehse ^cdndi-tions/- re:quired f or . the use of 
the appli^atiohV- Via the application control server 1, 
the bank* sends the unique, identifier (UID) of the 
subscriber identity mddule for the activation of the 
Application in the subscriber identity module to the 
3 5 ' application-specifics -subscriber , identity module cont- 
' ' fol system, block 22. The subscriber identity module 
control system initialises the% subscriber identity mo- 
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^ dule SIM by sending- a' registering .confirmation to the 
customer's mobile station^ block -23. At the same time, 
the dii'stomer receives a key k{n). that the customer can 
"use td switch his/her mobile station' and,,the associa- 
'5 ted subscriber identity module : into bank, mode and sub- 
sequently to open the service." • : r 

In block 24, the customer enters the key k(n) 
into the mobile station and accepts the registration 
by acknowledging the registering message sent by the 
10 subscriber identity module control system. After this, 
the subscriber identity module control system sends 
the keys needed for the use of the application to the 
bank so that the application-specific menus and custo- 
mer identifiers can be loaded into the customer's mo- 
15 bile station and subscriber identity module, block 25. 
The customer's mobile station has now been opened and 
activated and is ready for use in the bank service, 
block 26. If the customer misuses the system or other- 
wise fails to observe the terms of agreement, then the 
20 subscriber identity module control system can close 
the application in the subscriber identity module. The 
application is closed using a closing message contai- 
ning a closing key. 

If the customer fails to make the payments to 
25 be subsequently charged for the use of the applicati- 
on, e.g. the annual license fee to be paid: for the 
service, use of the application can be prevented by 
sending the subscriber identity module SIM a closing 
message from the key control system. The encrypted 
30 closing message contains a closing key by which the 
application in the subscriber identity module will re- 
cognise that the sender of the message has the right 
to close the application stored on the card. Similar- 
ly, if the mobile station together with the subscriber 
35 identity module is lost, the card or application can 
be closed. The application can be opened and activated 



'^.^^^''r-j^^^ PCT/FI98/00522 
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•again^ in ;a : corresponding manner from the application- 
specific key. contxol; system;- , , 

: . : The invention is not . restricted to the 

•examples af . its embodiments described alDove, but many 
variations- are- possible within th^ scope of the inven- 
tive idea defined by ttie claims.. 
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CLAIMS 

1^, . Procedure for the control of applications 
stored in a subscriber identity module in a data com- 
munication system compr^is^-ng a. data cpmmunication net- 
5 . work (4).,^ a terminal .device (MS) connected to the data 
communication network, . a subscriber ^identity module 
(SIM) connected, to. the, te,riT\inal device and containing 
a stored applicati^ojv ,,tha,t "inakes use _ of . the data commu- 
nication network and is used by means^ of the terminal 
10 device, tand ' an applip^.tion., cont^rol server (1) connec- 
ted to. the data ,'cojnmunicic^t ion network, , charac- 
.■ t e- r i^s dj in that |. ^ . - a. i;- • j. • 

r " a key lis^ ,coraprisAng ..one or more applicati- 
on-specific keys ; is ;-StQred in the s^ub^cribier identity 

.15 -module (SIM).;; :6^vr-:-^ - 

a- key list .^corresponding to the key list sto- 
red in the subsci^iber igieptity module is stored in the 
application .contr,ol, se,rver;, and 
J ,^ ; -the jappliMtion,^ st,Q,r|5d in the subscriber 

...-.20 identity mo^du-le i^..^a^ clpsedi using the 

key^listj ;^7;^'c^*'':. ■ 

^. 2.- Procedure ; as. defined^in ^claim 1, c h a - 
r a c t,e r- i/s.-e, d^» . in, thajt^. mod^ule (2, 3) for activa- 
ting, and/or ^closing t^e. application is stqred in the 
25 subscriber identity -,mggule^. (SIM) . 

- . 3 . " Procedure . as . defined in, claim 1 or 2, 

c h a r a c t e r-: i s ej d in that a clieck is carried out 
periodically to determine whether a valid right of ac- 
cess to - the. application- stored^ in the subscriber iden- 
3 0 tity module exists. : , 

, . . 4. Procedure as defined in any one of the 

preced,ing[ ; claims 1 - ,.3, . q, h a r a c^t e r i s e d in 
that, in the application control server, the key list 
is linked to the subscriber identity module by using a 
35 unique identifier corresponding to it. 
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5. Procedure as defined in any one of the 
preceding claims 1 - 4, characterised in 
that, by means*^ of the' application control server (1), 

' a ' miss sage conterhing the opening of the app- 
5 lication and containing ah -Application key k(n) to be 
used * in t'he application*' 'is' sent to the -subscriber 
identity modufe; and ' ' - • - ' ^ 

the "appii^^tidh^ key * is a^ttacKed to the unique 
identifier'' eorre'spoWing - the ""subS^criber identity 
iO"' module; ' ^ ^ -'^ ' - --^ 

6. Prbcediire as defined in 'any one of the 
preceding claims i'-- 5/ 'c h-a r"^ cterised in 
that, via the application 6ontrdl-^s6rver (1), 

the" right of -^dccess 'to the application is ve- 
15 "' rified on the baVis' of' the- key -li^t ; '^and ' " 

the special data heedeici Th - the application 
' ■ are sent^ if^'a' valid' access fight exists. 

7 . ^ Procedure • as' defiried in any one of the 
preceding * claims ' 1"-' - '6-,* "-'c W r *a -c t ^e r i s e d in 
20 " that the messages .between- -the application control ser- 
ver (i) ahd 1:he terminal device (MS)"arfe encryplted. 

8. Procedure as defined ' -in any one of the 
preceding claims^- "'1-^- V7, - -c har a cterised in 
' "that a' telecommunication connection is -set up between 
"^25 the terminal device (MSy - and ' the ^subscriber identity 
module (SIM) connected ' to -it- on the one hand and the 
application cbntrol'Ve^iBr the other hand via a 

telephbn'e network, "subii as- ^ mobile Communication net- 
" "wofJc. ' ■ ' ■ ' ' ' 

'3'0 ' 9. Procedure -as' defined' -in any one of the 

preceding claims 1 - '9, c-' h a -r a -C t e r i s e d in. 
''that the data coYnmuriicatidn network (4) is a GSM net- 
' - - ^ work and the terminal deVice (MS) is a GSM telephone. 
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